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DETAILED ACTION 

The Request for Continued Examination has been entered and accepted. 

Response to Arguments 

Applicant's arguments filed 9/30/2008 have been fully considered but they are not 
persuasive. Applicant argues that Drake, and Togawa do not make explicit the teaching of a log 
containing screen shots, program usage, and websites visited. 

Examiner asserts the applicant has admitted in the Background section of the instant 
specification that such log data is well known to those of ordinary skill in the art, as shown in 
paragraph 4 of page 2. 

software programs provide a wide variety of monitoring features. For example, some of 
these programs are abb to log keystrokes of a user, log many commands, take screen 
shots of a user's computer screen at: various times, track um of various programs., track, 
what web sites have been visited, monitor e-mail communications, etc. With m 
technology available today, most, if not ail, of a compute? user's activities on a computer 
can be observed and recorded. 

Thus, the instant specification teaches that a log may include screen shots, program usage, and 

websites visited. 

Double Patenting 

The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public 
policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of 
the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees. A 
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nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are 
not identical, but at least one examined application claim is not patentably distinct from the reference 
claim(s) because the examined application claim is cither anticipated by, or would have been obvious over, 
the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re 
Goodman, 1 1 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 
(Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, All F.2d 438, 
164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). 



A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may 
be used to overcome an actual or provisional rejection based on a nonstatutory double 
patenting ground provided the conflicting application or patent either is shown to be 
commonly owned with this application, or claims an invention made as a result of 
activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal 
disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 
3.73(b). 

Claims 1-21 are provisionally rejected on the ground of nonstatutory obviousness-type 
double patenting as being unpatentable over claims 1-18 of copending Application No. 
09/491,727. Although the conflicting claims are not identical, they are not patentably 
distinct from each other because It would have been obvious to one of ordinary skill in 
the art to store the second authentication value in a third file. 

This is a provisional obviousness-type double patenting rejection because the conflicting 
claims have not in fact been patented. 

Claim(s) _1, 16, 17 of application # 09/491,727 contain(s) elements of 

Claim(s) 1, 21 of the instant application and as such anticipate(s) claim(s) 1, 

21 of the instant application. 
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All dependent claims are also anticipated by application # 09/491,727. These claims will 
be detailed in the final rejection. 



Claim Rejections - 35 USC §103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

Claims 1-21 are rejected under 35 U.S.C. 103(a) as being unpatentable over Togawa U.S. 

Patent No. 6,240,530, and further in view of Drake U.S. Patent No. 6,006,328. 

Togawa teaches a system for the detection and removal of computer malware. 
Togawa fails to teach explicitly searching for observer programs as part of that malware. 
Drake teaches security methods to protect against attacks by malicious software such as 
eavesdropping malware. 

It would have been obvious to one of ordinary skill in the art at the time of the applicant's 
invention to combine the system of Drake with that of Togawa for the advantages of improved 
security by adding the features of protection against such malicious activities as eavesdropping 
to the ability of the scanning system as described by Togawa. 

It is desirable within any computer system to maintain the security and integrity of such a 
system while preventing damage to the data and components included therein. Drake teaches 
protection of the client computer system against malicious software as does Togawa. Although 
each system teaches protection against a different type of malware by way of scanning the 
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computer system, protecting against all forms of malware is desirable. (Drake Col 3 lines 30-52). 

Regarding Claims 1 and 21 : Observer program data characteristics descriptive of a plurality of 
observer programs where the observer programs are programmed to observe activities on a 
computer system and to create log data. (Togawa Fig 1 .si, Col 5 lines 10-19 Drake Fig 4,5 Col 3 
lines 3 1-52) As it is understood the detection of a virus and its type as within Togawa requires 
recognition of characteristics of a virus. Those characteristics residing within the computer 
systems various components as any particular virus infects that system; so then the same is true 
within the combined system for the detection of an observer program as defined by Drake. 
Obtain memory data of the computer by using computer instructions (Togawa Fig 1, Col 8 lines 
14-30) As explained above the detection of the malware requires checking the system which is 
inclusive of the memory data; therefore in order for the functionality to proceed it must in some 
way obtain such data for scanning. It is well known to those of ordinary skill in the art that log 
data may contain screen shots, program usage, and websites visited, as admitted in the instant 
specification (page 2). 

Comparing memory data with observer program data characteristics for detection of an observer 
program (Col 8 lines 14-30) As it is known within the art virus scanning is the process of 
comparing two such sets of data. Further within the combined system the observer program 
characteristics are included within the set of the compared traits. Generating a result of whether 
an observer program is present (Fig 1, Fig 3-4 Col 5 lines 10-38) Detection denotes that a result 
is generated as to the response of the scanning process. 

Presenting results through a GUI (Fig 3-4, Col 5 lines 39-50, Col 13 lines 8-55, Col 14 lines 18- 
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25) As denoted the display performs functions of disseminating operational information which is 
in a graphical form and presented within an OS that the user is capable of interacting with. 

Regarding Claims 2 and 3: Memory data includes startup and registry startup commands (Col 8 
lines 14-30, Col 13 lines 19-56) As stated the memory contains all necessary information for the 
processes of the machine; these processes being inclusive of starting up necessary portions for 
operation thereof; such as the OS which includes a registry and the virus detection that being its 
own implementation scans the memory that these commands are located within. 

Regarding Claims 4 and 5: Observer program characteristics include observer import/export 
table data for comparison with memory import/export table data to determine the presence of an 
observer program (Col 8 lines 14-30, Col 13 lines 19-56) As explained above all of the common 
features of the memory and functionality of the system are scanned via the anti-malware system. 
Regarding Claim 6: Observer program characteristics include observer resource data for 
comparison with memory resource data to determine the presence of an observer program (Col 8 
lines 14-30, Col 13 lines 19-56) 

Regarding Claim 7: Observer program characteristics include observer file content data for 
comparison with memory file content data to determine the presence of an observer program 
(Col 8 lines 14-30, Col 13 lines 19-56) Additionally, as is shown and well known within the art 
file content is compared to malware characteristics for detection of such programs located 
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commonly in such a place. 

Regarding Claim 8: The comparing instruction compare the observer file content data with 
memory file content data at an offset address (Fig 1, Fig 3-4, Col 5 lines 10- 20, Col 13 lines 19- 
56) The process of scanning for malware is inclusive of the entire range of memory; therefore the 
process must offset the data being scanned by that which has already been. 

Regarding Claim 9: The comparing instruction compare the observer file content data with a 
span of the memory file content data identified by an offset address (Fig 1, Fig 3-4, Col 5 lines 
10-20, Col 13 lines 19-56) The process of scanning for malware is inclusive of the entire range 
of memory; therefore that which is scanned is a span of memory that is offset by the amount 
previously scanned. 

Regarding Claim 10: Observer program characteristics include observer module loading data for 
comparison with memory module loading data to determine the presence of an observer program 
(Col 5 lines 10-20, Col 13 lines 19-56) 

Regarding Claim 1 1 : Observer program characteristics include OS observing functions for 
comparison with memory functions from the memory data to determine the presence of an 
observer program (Col 5 lines 10-20, Col 13 lines 19-56) 
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Regarding Claim 12: Memory data includes explorer extension data (Col 13 lines 19-56) 
Regarding Claim 13: Memory data includes file use information (Col 13 lines 19- 56) 
Regarding Claim 14: Memory data includes process information (Col 13 lines 19-56) 
Regarding Claim 15: Memory data includes running process information (Col 13 lines 19-56) 
Regarding Claim 16: Memory data includes loaded module information (Col 13 lines 19-56) 
Regarding Claim 17: Memory data includes driver data (Col 13 lines 19-56) 
Regarding Claim 18: Memory data includes kernel driver data (Col 13 lines 19- 56) All of the 
above stated separate memory data components are included within any resident memory of a 
common computer system that a system such as the combination of Togawa and Drake would be 
implemented upon. 

Regarding Claims 19 and 20: Instruction to disable an observer program if present (Fig 1, Fig 10, 
Col 5 lines 10-50, Col 19 line 15 - Col 20 line 65) 

Entering a startup command to load a kill program before the observer program is started (Fig 
10, Col 19 line 15 - Col 20 line 65) As shown within the figure the system clears the memory 
then loads a secondary extermination routine, inclusive of the secondary OS and associated 
extermination routine, so that the observer program is not reloaded and instead the kill program 
is loaded and executed. 

Rebooting the computer (Fig 1, Fig 10) As it is shown after the detection and initial clearing of 
memory the system must be rebooted with a separate non-infected operating system to further 
allow for the deletion of any other virus elements. 

Starting the kill program by execution of the startup command (Fig 10, Col 19 line 15 - Col 20 
line 65) As explained above the kill program is loaded at startup so the virus may not load. 
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Deleting the observer program startup command and files (Fig 10, Col 19 line 15 - Col 20 line 
65) The process of clearing the memory as stated within the cited lines and exterminating the 
malware is the process of deleting the startup command. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to CHRISTOPHER J. BROWN whose telephone number is 
(571)272-3833. The examiner can normally be reached on 8:30-6:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 

supervisor, Kambiz Zand can be reached on (571)272-381 1 . The fax phone number for the 

organization where this application or proceeding is assigned is 571-273-8300. Information 

regarding the status of an application may be obtained from the Patent Application Information 

Retrieval (PAIR) system. Status information for published applications may be obtained from 

either Private PAIR or Public PAIR. Status information for unpublished applications is available 

through Private PAIR only. For more information about the PAIR system, see http://pair- 

direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the 

Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from 

a USPTO Customer Service Representative or access to the automated information system, call 

800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/Christopher J Brown/ 3/22/09 
Primary Examiner, Art Unit 2434 



